Who are Scattered Spider? FBI warns M&S hackers are now targeting airline industry

“The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector,” the alert states. “These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.

“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”

ALERT—The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.… pic.twitter.com/gowmbsAbBY

— FBI (@FBI) June 27, 2025

The Cybersecurity & Infrastructure Security Agency, a division of the Department of Homeland Security, published a 2023 security alert about the group. It stated that the underground digital thieves, who are thought to be led by young hackers in the US and the UK, have caused damage in recent years by stealing data from businesses and occasionally extorting them.

Marks & Spencer said in May that it expects disruption from a damaging cyber attack could last well into July as it continues to work on recovering its online systems. The popular British retailer was hit by a ransomware attack launched over the Easter weekend, which is estimated to have resulted in the company losing over £300m in profits.

While investigations are ongoing, speculation regarding the culprits has pointed to a group called Scattered Spider, which is thought to have leveraged the tools of DragonForce.

Here is what we know about this shady organisation.

Who are Scattered Spider?

Also called UNC3944, Octo Tempest or Muddled Libra, Scattered Spider is a hacking group comprised of hackers – some thought to be as young as 16.

Members are said to frequent hacker forums, Telegram channels and Discord servers and are believed to be linked to the "Com”, a loosely affiliated community known for cyber and real-world criminal activity.

Graeme Stewart, the head of public sector at security company Check Point, told Sky News: "Scattered Spider is one of the most dangerous and active hacking groups we are monitoring.

"Since they first appeared in 2022, they have been linked to more than 100 targeted attacks across industries such as telecoms, finance, retail and gaming.”

Members have been suspected of a hack on Caesars casinos – which cost the group $15m (£11.2m) to restore its network. Other UK businesses that police suspect may have been targeted include Co-op and Harrods.

The group is said to be scattered, as the name suggests, with members around the world. Despite this, they are a highly organised criminal network, Mr Stewart added.

"Even with several arrests made in the US and Europe, their structure allows them to regroup quickly,” he said.

The tech website Bleeping Computer identified Scattered Spider as being linked to the breach in February – supposedly using ransomware to encrypt parts of M&S's infrastructure.

Scattered Spiders is thought to use SIM swapping to trick phone providers into thinking a hacker is the real owner of a phone. This can help them to get around two-factor authentication to impersonate IT staff.

What might happen next?

According to a journalist at the BBC, who claimed to have received communication from the hackers, the group said they had stolen large amounts of consumer and employee data and were “frustrated” that the Co-op didn’t give in to their demands.

As for what lies in store for the future of M&S, it appears that teams are working to resume regular online activity and that the hack may have helped strengthen their systems.

Although M&S has resolved its IT issues, Mr Manchin claims that the attack has helped the retailer understand "new and innovative ways of working".

"If anything, the incident allows us to accelerate the pace of change as we draw a line and move on," he said.

Jake Moore, global cybersecurity adviser at Eset, said other retailers being targeted in the wake of the M&S breach was typical, as hacking groups are often inspired to use the same type of ransomware elsewhere after a successful hack.

"It's typical for similar companies in the same sector to become secondary targets after a huge cyber-attack," he said.

"As the strain of ransomware called DragonForce can simply be purchased on the dark web in a model called 'ransomware-as-a-service', other hacking groups are also able to attempt their luck on similar businesses and start demanding ransoms where possible.

"It is often a precautionary measure to shut down parts of a system after a major cyber-attack to mitigate any threats and prevent similar breaches.

"However, attacks involving the DragonForce ransomware most commonly start by targeting known vulnerabilities such as attacking systems that have not been kept up to date with the latest security patches, so businesses need to be extra vigilant and improve how quickly they update their networks."

Cybersecurity expert Cody Barrow, chief executive of EclecticIQ, said the flurry of attacks showed cybercriminals are becoming bolder.

"Coming on the heels of recent breaches at Co-op and M&S, it highlights an alarming trend: attackers are becoming increasingly opportunistic, exploiting weaknesses across complex, highly interconnected supply chains," he said, warning that artificial intelligence was also making it easier for lower-skilled hackers to put together sophisticated attacks.

"What's deeply concerning is generative AI is accelerating the threat landscape.

"Sophisticated phishing campaigns, deepfake social engineering, and adaptive malware are now within reach of even low-skilled attackers.

"This widespread access to advanced attack tools is driving up attack volume, speed and complexity."